feat(bash-script): Drop all dc- scripts

[kiblik]

Since DD does not support MySQL and RabbitMQ, dc- scripts do not have additional values (they existed to simplify usage of --profile and --env-file parameters). Now they are more limiting as they support only one additional parameters.

As only one DB backed and one MB backed is used, --no-deps is no longer needed.

Scripts for unittests and integration tests are still useful (from my perspective). But they have been renamed to decrease confusion as to why they are named that way.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving DefectDojo's deployment, testing, and documentation processes, with minor security considerations around input validation, container configuration, and testing practices, while not introducing any significant security vulnerabilities.

Expand for full summary

Summary:

The provided code changes span multiple files and focus on various aspects of the DefectDojo project, including documentation updates, GitHub Actions workflows, and script modifications. From an application security perspective, the changes do not introduce any obvious security vulnerabilities, but there are a few areas that should be considered:

1. Docker Compose and Container Security: The changes involve updates to the Docker Compose configuration and scripts, which are important for ensuring the secure deployment and operation of the DefectDojo application. It's crucial to maintain a vigilant approach to container security, including proper configuration, dependency management, and image scanning.

2. Input Validation and Sanitization: Some of the changes involve the use of user-supplied input, such as environment variables and test case names. It's important to ensure that these inputs are properly validated and sanitized to prevent potential injection attacks (e.g., SQL injection, command injection).

3. Secure Testing Practices: The changes include updates to the unit and integration testing workflows. While testing is a crucial aspect of application security, it's important to ensure that the test data and environment do not contain any sensitive information that could be accidentally exposed or misused.

4. Secure Documentation and Configuration Management: The documentation updates, such as the instructions for upgrading and running DefectDojo, are important for ensuring that users can securely deploy and maintain the application. It's crucial to keep these documents up-to-date and accurate, and to consider the security implications of any changes.

Overall, the changes in this pull request appear to be focused on improving the deployment, testing, and documentation of the DefectDojo project, which is a positive step from an application security perspective. However, it's important to continue to monitor the project's security posture and address any potential vulnerabilities that may arise.

Files Changed:

1. README.md: The changes introduce instructions for running DefectDojo using Docker Compose V2 and provide guidance for the older Docker Compose V1. The changes do not introduce any obvious security concerns.

2. .github/workflows/integration-tests.yml: The changes remove the --no-deps flag from the docker compose up commands, ensuring that all necessary containers are started. This is a positive security enhancement.

3. .github/workflows/rest-framework-tests.yml: The changes remove the --no-deps flag from the docker compose up command, which is a security improvement. However, the use of raw SQL queries in the getPastOrderCount() method should be reviewed for potential SQL injection vulnerabilities.

4. .github/workflows/fetch-oas.yml: The changes remove the --no-deps flag from the docker compose up command, which is a positive change. However, the use of hardcoded versions and the potential for a denial of service (DoS) situation should be considered.

5. docs/content/en/open_source/upgrading/2.43.md: The changes are primarily documentation updates, which do not introduce any obvious security concerns.

6. docs/content/en/open_source/upgrading/_index.md: The changes focus on improving the upgrade process, which is a positive security practice.

7. docs/content/en/open_source/contributing/how-to-write-a-parser.md: The changes update the instructions for running unit tests for parsers, which is a positive security practice.

8. run-integration-tests.sh: The changes improve the integration testing process and do not introduce any obvious security concerns, but the use of environment variables should be reviewed for potential security implications.

9. docs/content/en/open_source/upgrading/upgrading_guide.md: The changes provide instructions for upgrading the DefectDojo application, focusing on security-related aspects such as database migrations and versioning.

10. readme-docs/DOCKER.md: The changes streamline the Docker Compose instructions and include guidance on running the application with HTTPS, which is a security best practice.

11. run-unittest.sh: The changes are minor and do not introduce any obvious security concerns, but the input validation and secure test data should be reviewed.

Code Analysis

We ran 9 analyzers against 16 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving DefectDojo's deployment, testing, and documentation through various file changes, with an emphasis on maintaining application security by addressing potential vulnerabilities in Docker configurations, input validation, testing practices, and documentation management.

Expand for full summary

Summary:

The provided code changes span multiple files and focus on various aspects of the DefectDojo project, including documentation updates, GitHub Actions workflows, and script modifications. From an application security perspective, the changes do not introduce any obvious security vulnerabilities, but there are a few areas that should be considered:

1. Docker Compose and Container Security: The changes involve updates to the Docker Compose configuration and scripts, which are important for ensuring the secure deployment and operation of the DefectDojo application. It's crucial to maintain a vigilant approach to container security, including proper configuration, dependency management, and image scanning.

2. Input Validation and Sanitization: Some of the changes involve the use of user-supplied input, such as environment variables and test case names. It's important to ensure that these inputs are properly validated and sanitized to prevent potential injection attacks (e.g., SQL injection, command injection).

3. Secure Testing Practices: The changes include updates to the unit and integration testing workflows. While testing is a crucial aspect of application security, it's important to ensure that the test data and environment do not contain any sensitive information that could be accidentally exposed or misused.

4. Secure Documentation and Configuration Management: The documentation updates, such as the instructions for upgrading and running DefectDojo, are important for ensuring that users can securely deploy and maintain the application. It's crucial to keep these documents up-to-date and accurate, and to consider the security implications of any changes.

Overall, the changes in this pull request appear to be focused on improving the deployment, testing, and documentation of the DefectDojo project, which is a positive step from an application security perspective. However, it's important to continue to monitor the project's security posture and address any potential vulnerabilities that may arise.

Files Changed:

1. README.md: The changes introduce instructions for running DefectDojo using Docker Compose V2 and provide guidance for the older Docker Compose V1. The changes do not introduce any obvious security concerns.

2. .github/workflows/integration-tests.yml: The changes remove the --no-deps flag from the docker compose up commands, ensuring that all necessary containers are started. This is a positive security enhancement.

3. .github/workflows/rest-framework-tests.yml: The changes remove the --no-deps flag from the docker compose up command, which is a security improvement. However, the use of raw SQL queries in the getPastOrderCount() method should be reviewed for potential SQL injection vulnerabilities.

4. .github/workflows/fetch-oas.yml: The changes remove the --no-deps flag from the docker compose up command, which is a positive change. However, the use of hardcoded versions and the potential for a denial of service (DoS) situation should be considered.

5. docs/content/en/open_source/upgrading/2.43.md: The changes are primarily documentation updates, which do not introduce any obvious security concerns.

6. docs/content/en/open_source/upgrading/_index.md: The changes focus on improving the upgrade process, which is a positive security practice.

7. docs/content/en/open_source/contributing/how-to-write-a-parser.md: The changes update the instructions for running unit tests for parsers, which is a positive security practice.

8. run-integration-tests.sh: The changes improve the integration testing process and do not introduce any obvious security concerns, but the use of environment variables should be reviewed for potential security implications.

9. docs/content/en/open_source/upgrading/upgrading_guide.md: The changes provide instructions for upgrading the DefectDojo application, focusing on security-related aspects such as database migrations and versioning.

10. readme-docs/DOCKER.md: The changes streamline the Docker Compose instructions and include guidance on running the application with HTTPS, which is a security best practice.

11. run-unittest.sh: The changes are minor and do not introduce any obvious security concerns, but the input validation and secure test data should be reviewed.

Code Analysis

We ran 9 analyzers against 16 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[mtesauro]

Thanks for this PR - it was on my list of things to simplify in DefectDojo so it's as easy to use as is feasible and, like you noticed, not having MySQL & RabbitMQ support means those dc- things are no longer necessary 👍

[mtesauro]

Approved